fix: pin GitHub Actions to SHA hashes

[koralkulacoglu]

🔒 Security: Pin GitHub Actions to SHA hashes

This PR pins GitHub Actions to their SHA hashes to improve security by preventing potential supply chain attacks through tag mutation.

Task: DX-1985

One-Pager: Automatic SHA Pinner One-Pager

📊 Summary

• 4 action references pinned to SHA hashes
• 2 workflow files updated

📝 Changes Made

.github/workflows/ci.yaml

• codecov/codecov-action@v3.1.1 → codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
• xresloader/upload-to-github-release@v1.3.9 → xresloader/upload-to-github-release@a11a070bfe789a1d5e539e4f511fd31ce685aeb3

.github/workflows/helmrelease.yaml

• azure/setup-helm@v3.4 → azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82
• helm/chart-releaser-action@v1.4.1 → helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f

🔍 Why this change?

Pinning GitHub Actions to SHA hashes instead of tags provides:

1. Immutability: SHA hashes cannot be changed, preventing malicious updates to existing releases
2. Supply Chain Security: Protects against compromised action maintainer accounts
3. Compliance: Aligns with security best practices for CI/CD pipelines

🧪 Testing

• Verify all workflows still function correctly
• Check that no functionality is broken by the pinned versions

❓ Questions?

If you have any questions about this change, feel free to ask the dev-ex team in #notify-dev-ex.

📚 References

• GitHub Security Hardening Guide
• OSSF Security Best Practices

---

🤖 This PR was automatically generated by the SHA Pinner Audit tool.